Infosec bods scorn card-swiping Coin over security fears

Deprecated money-moving tech is still secure, insists biz

All-in-one digital payments start-up Coin has issued a robust defence of its technology following criticism from an infosec firm.

Coin offers a single combined credit/debit/loyalty/store card that's paired with a user's mobile phone. The Coin app requires that you take a picture of the front and back of the card, type in your card details, and then swipe the card (using a reader it provides) to ensure the card’s encoded magnetic stripe data matches the card details provided.

It is not possible to complete these steps unless you are in physical possession of a card - see video below for an explanation of how the technology works.

However security researchers at IOActive fear the technology inadvertently creates new avenues for abuse, in particular the possibility of potentially opening the door to more potent skimming attacks.

Wim Remes, managing consultant for IOActive, explained: "Coin seems like an interesting idea, presented as a technology that simplifies how we use cards with magnetic stripes today. In essence, however, it also offers itself as a personal skimming device. From the information currently available about Coin, most of the security features that the inventors have implemented appear to be opt-in. Beyond a Bluetooth connection with a mobile phone it is to be assumed there are no further authentication features in the technology."

“At first glance there are an abundant possibilities for abuse. For example, a person that gets temporary access to your Coin device would be capable of recording magnetic stripe data from all the cards stored on it. Most cards currently get skimmed in retail environments and it is not too difficult to track down where a card got compromised. With Coin, however, a user could present a debit card that will get correctly charged while the credit card can be skimmed after the attacker has pushed the Coin button to select another card. You give an attacker your entire wallet, without any controls, instead of a single card," he added.

In response to El Reg's query, Coin acknowledged skimming was still an issue but maintained its technology was actually less at risk from skimming than conventional mag stripe cards.

"A Coin is less susceptible to some card skimming techniques that take a picture of the card as it is swiped since Coin does not display the full card details on the front or back of the device," said the company. "A Coin is no less susceptible than your current cards to other forms of skimming that capture data encoded in the magnetic stripe as the card is swiped. Also, you can only add cards that you own to your Coin."

Remes contended that any technology based on magnetic stripes was no longer suitable for credit or debit cards and that technology based on the harder-to-clone Chip and PIN technology was preferable.

"At best, the technology seems fit for low-value reward cards but definitely not for credit or debit cards. The fact of the matter is that in a world where card fraud is still running rampant, we should focus on the adoption of EMV [Europay, MasterCard and Visa] technology rather than making the use of magnetic stripe cards easier," he concluded.

For now at least, Coin only works with mag strip only cards. Chip and PIN (EMV smart cards) have been standard in Europe since 2005 but the technology has only just been introduced in the US and is not expected to be the de-facto standard for point of sale retail terminal transaction until October 2015. The technology was also recently introduced in the Asia-Pacific region.

This means that Coin is attempting to address a market for technology that's only really useful in the US, and perhaps only over a small time period at that; measurable in months rather than years.

Coin's card-swiping tech, which costs $100 and is only initially available in the US, will only ship in summer 2014.

In an FAQ, Coin said it plans to adapt its technology to support EMV smart cards.

Coin is currently designed for the U.S. market and does not support Chip and PIN (EMV), however, future generations of the device will include EMV.

IOActive are far from the only security firm to raise a quizzical eyebrow at Coin, with other focusing on the digital certificate and cryptography used on its websites and other factors. Coin contends it has all these bases covered.

Maintaining the integrity of your Coin’s data is critical to your peace of mind. That’s why our servers, mobile apps and the Coin itself use 128-bit or 256-bit encryption for all storage and communication (http and bluetooth). Additionally Coin can alert you in the event that you leave it somewhere.

In the event that your Coin loses contact with your phone for a period of time that you configure in the Coin mobile app, it will automatically deactivate itself. Your Coin account is password protected and the mobile app requires that you type in your password before you can access sensitive card details.

Currently you cannot lock your Coin, but you don’t have to. Coin will automatically deactivate if it loses contact with your phone for a period of time that you configure in the Coin mobile app.

Mike Davis, principal research scientist for IOActive, has mixed feeling about Coin's use of radio connection technology.

"The use of BLE (Bluetooth Low Energy) is technologically the perfect choice for Coin, as the company can use super thin and flexible lithium polymer batteries, and eInk displays enabling users to get years of battery life out of a device," Davis explained. "And that’s even before breaching the subject of inductive charging."

"Security-wise there are a few issues,” Davis warned. “While the BLE specification does include encryption, few, if any devices have implemented it yet. Additionally, BLE has known issues when it comes to secure pairing and the only secure method ‘Out of Band’ may not be a realistic option for a product like Coin," he added.

Coin submitted its technology for certification under the PCI DSS payment industry regulatory standard. A device such as a Coin is seen as similar to a payment card in a consumer’s wallet so the PCI Security Standards Council's separate certification for payment applications (PA-DSS) is not applicable to Coin. ®